It seems like nearly every day a new threat comes along to prepare for. Now, there’s another one to add to the growing list.
Recently, Japanese researchers found an actively exploited zero-day attack against Microsoft Office – which even works with macros disabled.
The vulnerability tracked as CVE-2022-30190 – better known as ‘the Follina Bug’ affects all Windows versions still receiving updates.
Not only can this attack affect those who open Microsoft Word files, but even previewing the file is enough to fall victim.
The attack can be mitigated by editing a computer’s Windows Registry (see below for details) to block the remote code execution vulnerability.
Let’s break it down in more detail.
What is the Follina Bug?
The Follina vulnerability exploits the Microsoft Diagnostic Tool (MSDT) to execute PowerShell commands that don’t require elevated privileges or macro codes.
Here’s how the attack works:
First, it automates a string of connected attacks, starting with an external link to load an HTML file from a remote server. This then exploits the ‘ms-msdt:’ trouble-shooting domain.
Normally, the series of attacks would trigger warnings and pop-up boxes
Here, however, attackers exploit various MSDT trouble-shooting commands to skip the warnings and directly execute code.
Scrambled source code, read by the command line itself, executes the PowerShell script without saving any files to the local machine.
These attacks work using .doc files, .rtf files, and probably other Office file types, although it’s still too early to know for sure.
Making matters more difficult, you can even trigger them by simply previewing the document in Windows Explorer, or even rendering the thumbnail of the file.
So, how do you safeguard for it?
How to Mitigate Fullina Vulnerability
Hopefully, Microsoft will soon issue a corrective patch to address the Follina vulnerability. As of now, the company has yet to indicate whether or not that’s coming.
However, until one becomes available, they recommend breaking the relationship between the ‘ms-msdt:’ domain and the MSDT utility.
You can do this by editing Windows Registry using one of the following techniques below. Just note that these do require administrator privileges:
- Creating and running a .REG files containing the following text:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\ms-msdt] - Browse to, and delete “HKEY_CLASSES\ROOT\ms-msdt” in REGEDIT
- Run the command “REG DELETE HKCR\ms-msdt”
As with any registry editing, always remember to back-up first! Also, make sure that the commands are run precisely.
Fortunately, since few organizations actively use the MSDT utility, this URL should be OK to remove for most.
Active Directory Default Attack
Though the Follina vulnerability is making headlines, it’s not the only incident to be wary of.
In other news, Microsoft’s 2019 advice and hardening of the Lightweight Directory Access Protocol (LDAP) channel binding on Active Directory (AD) controllers has proved insufficient.
If you’re deploying Active Directory with default configurations, you remain vulnerable to relay attacks.
The ‘KrbRelayUp’ proof-of-concept hacking tool streamlines previous methods.
What does that mean for you?
Well, attackers can now escalate from low-privileged Windows domain users to high-privileged domain users by exploiting a universal no-fix local privilege escalation.
Though this attack doesn’t work on purely cloud-based Azure Active Directory environments, hybrid environments can attack local AD. Further, the attack can abuse the AD-synch with Azure to escalate cloud privileges.
Systems with Lightweight Directory Access Protocol (LDAP) signing enforced won’t be affected, but only if Extended Protection for Authentication (EPA) for Active Directory Certificate Services (AD CS) is also enabled.
Microsoft has released an advisory to enable LDAP channel binding and LDAP signing, as well as details for how to execute the binding for Windows.
It’s also recommended that you set the ms-DS-MachineAccountQuota attribute to 0, in order to block non-admin users from adding new devices to the domain.
And, as with any other sort of attack, you need to remain vigilant.
Final Thoughts & Next Steps
Fortunately, neither of the aforementioned attacks appear to be widespread.
However, typically, it only takes a few weeks, or even days, for attackers to analyze the news and deploy new attacks.
Additionally, it’s also lucky that both attacks have rather simple mitigations, Still, many IT teams may not have the bandwidth or the expertise to make these changes immediately.
While our cybersecurity tools and advanced firewalls can detect many different types of attacks, neither of the vulnerabilities covered above can be easily captured by traditional or even zero-trust tools.
Cybersecurity monitoring can help to fill in the gaps, but the best defense in this case is to apply the mitigation quickly.
When urgency or expertise is required, outsourcing can provide a cost-effective solution to protect the organization. Blue Bastion, along with the added support of Ideal Integrations, provides no-obligation consultations and can explain how we can deploy our security experts and tools to quickly resolve existing vulnerabilities or to provide ongoing monitoring against new attacks.
Call our team at 412-349-6680 or fill out the form below and our team of cybersecurity experts will create and execute the ultimate security plan to protect your organization.
Stay vigilant.
